Switch generate_psa_test.py to automatic dependencies for negative test cases

core/psa_crypto.c

@@ -8097,6 +8097,21 @@ psa_status_t psa_key_agreement_iop_setup(
         goto exit;
     }
 
+    /* We only support raw key agreement here, not combined with a key
+     * derivation. Also, for the time being, we only allow ECDH, not
+     * other key agreement algorithms.
+     *
+     * This check could come slightly earlier or later. Having it here
+     * gives consistent error codes with non-interruptible key agreement
+     * (psa_raw_key_agreement(), psa_key_agreement()) when the input
+     * parameters (including the key) are also invalid for
+     * non-interruptible key agreement.
+     */
+    if (alg != PSA_ALG_ECDH) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
     operation->attributes = *attributes;
 
     operation->num_ops = 0;

drivers/builtin/src/psa_crypto_ecp.c

@@ -764,6 +764,12 @@ psa_status_t mbedtls_psa_key_agreement_iop_setup(
        complete operation which doesn't reset it after finsishing. */
     operation->num_ops = 0;
 
+    psa_key_type_t private_key_type = psa_get_key_type(private_key_attributes);
+    if (!PSA_KEY_TYPE_IS_ECC_KEY_PAIR(private_key_type)) {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
     status = mbedtls_psa_ecp_load_representation(
         psa_get_key_type(private_key_attributes),
         psa_get_key_bits(private_key_attributes),
@@ -785,7 +791,7 @@ psa_status_t mbedtls_psa_key_agreement_iop_setup(
     our_key = NULL;
 
     status = mbedtls_psa_ecp_load_representation(
-        PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(psa_get_key_type(private_key_attributes)),
+        PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(private_key_type),
         psa_get_key_bits(private_key_attributes),
         peer_key,
         peer_key_length,